Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #14 Fri, 8 Jun 01 16:13:01 EDT Contents: Re: National Security Nightmare? (nemo outis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Def'n of bijection (Douglas A. Gwyn) Re: practical birthday paradox issues (Douglas A. Gwyn) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: National Security Nightmare? (John Myre) Re: National Security Nightmare? (Douglas A. Gwyn) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A. Gwyn) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A. Gwyn) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A. Gwyn) Re: Notion of perfect secrecy (Douglas A. Gwyn) Re: shifts are slow? (Douglas A. Gwyn) Prime Directive was _Re: National Security Nightmare? (Dramar Ankalle) Re: Def'n of bijection (Mok-Kong Shen) From: [EMAIL PROTECTED] (nemo outis) Subject: Re: National Security Nightmare? Date: Fri, 08 Jun 2001 19:17:24 GMT As a pedant and sciolist I should point out that it's Let *him* who is without blame cast the first stone. :-) Regards, In article [EMAIL PROTECTED], Phil Carmody [EMAIL PROTECTED] wrote: ..snip... Let he who is without blame cast the first stone. ..snip... -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Fri, 08 Jun 2001 21:24:35 +0200 Tom St Denis wrote: Not to be a naive kid but I doubt even PhD math types could read a thesis and understand it in one pass. I find often the biggest problem with math papers/discussions is the lack of a good language to discuss it in. For example, my book on Group Theory I got (From Dover) only has 13 words in the entire text. The rest is vague human egyptian art work that future archeologists will look at and say this means fire, and that's water, and For example, look at some of the papers by Vaudenay. Typically he goes overboard when trying to say the simplest thing. The benefits of decorrelation in GF(2^w) wrt to diff/linear analysis can be summed up with two simple proofs. Yet he brings in all these wierd symbols like ||A||^d_{oo}, etc.. Which looks neat, but doesn't mean anything to me. (I know ||A|| means normal form, but what normal form means is beyond me). In my MDFC paper I proved in about 1/2 a page that pair-wise decorrelation in GF(2^w) leads to functions immune to differential and linear analysis. [N.B His papers go far into more formal notions of randomness which is why he uses the funny notation. But to simply prove immunity to 1st order attacks you don't need such a lengthly paper] I remember we had discussed over similar topics in the past. Different books are written for people with different 'pre-knowledge' (my term). Thus not everything is explained in all details and with all rigor, it being assumed that the (intended) readers already know stuffs above a certain level. Certainly, there are differences in the writing capabilities of the authors. Some are good pedagogically, i.e. good teachers, others less so. But I would be very careful in criticizing textbooks written by academics or papers in respected journals as vague, imprecise etc. etc. For it is the current tradition that these are well peer-reviewed. Further, common textbooks (those that sell en mass) are subjected to a selection process (in the Darwinian sense) so the probability of having very poor quality such books on the market is not very likely. If I have acquired enough knowledge in a scientific field and am able to read a lot of books with ease and then discover (on looking back) that a certain book is really poorly or carelessly written (with respect to the class of readers that I am sure that the book is intended), I would eventually venture to express my critiques, but not before that time point. Of course, that's my personal 'philosophy', you may have yours that is quite different. You said that some authors are explaining too much, i.e. with unnecessary details. But this is probably because you have known more in that particular point than the average reader that the authors have in mind. For one who doesn't have that 'pre-knowledge', one would be very grateful to the authors for easing their way of capturing the stuff with these details. There are literatures of diverse levels. If you find one class too easy/simplistic for you, switch to a higer class. Sometimes one has to switch in the reverse direction. (At least this is often my personal experience.) This is analogous to what I knew in school education when I was young. (I have no knowledge of the current systems.) At that time pupils that were exceptionally good were allowed to jump classes. Transfers in the reverse direction
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #13 Sat, 27 Jan 01 14:13:01 EST Contents: Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks) (Alan Mackenzie) Re: How many bits of security can a password give? (George Weinberg) Re: Dynamic Transposition Revisited (long) (Mok-Kong Shen) Re: what was the problem with E2 ? (DJohn37050) Re: Paranoia (Roger Schlafly) Re: 32768-bit cryptography, updated (Splaat23) Re: Paranoia (Roger Schlafly) Re: Why Microsoft's Product Activation Stinks (Lord Running Clam) Re: 32768-bit cryptography, updated (Mike 8465) Re: Why Microsoft's Product Activation Stinks (Splaat23) Description of algorithm (Mike 8465) Re: What do you do with broken crypto hardware? ("Douglas A. Gwyn") From: Alan Mackenzie[EMAIL PROTECTED] Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism Subject: Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks) Date: Sat, 27 Jan 2001 14:00:32 + Anthony Stephen Szopa [EMAIL PROTECTED] wrote on Sat, 27 Jan 2001 03:53:12 -0800: Alan Mackenzie wrote: [A few comments on the controversy over Mr. Szopa's encryption program.] All one need do is read the first three help files and you would have all the information you need to answer all your questions. This is why I posted the Help Files to begin with. Give them a try. You know the rules: one of them is that the attacker knows everything about the algorithm. Indeed so. Other posters on these newsgroups have been asserting that they _don't_ know everything about the algorithm. Possibly you could help clarify whether or not this is the case by giving a direct answer to the following question: Could a software engineer, using as a specification only the descriptive material available at your web site, duplicate your encryption program? That is, for any given plaintext, identical key material, and identical states for any programmable pseudo random number generators, his program and your program would produce the same cyphertext. -- Alan Mackenzie (Munich, Germany) Email: [EMAIL PROTECTED]; to decode, wherever there is a repeated letter (like "aa"), remove one of them (leaving, say, "a"). -- From: [EMAIL PROTECTED] (George Weinberg) Subject: Re: How many bits of security can a password give? Date: Sat, 27 Jan 2001 16:54:11 GMT On Wed, 24 Jan 2001 11:50:11 -0800, "Joseph Ashwood" [EMAIL PROTECTED] wrote: "Erik Runeson" [EMAIL PROTECTED] wrote in message news:94nafd$lff$[EMAIL PROTECTED]... I'm trying to find an upper limit to how strong a regular password can be. Depends on the password. If you let the user choose an English word, it is rather predictably 1 bit of entropy per character. If you require that there be at least one capital, they will almost certainly capitalize the first letter, so maybe .25 bits of entropy added. Adding a number on the end adds an average of log2(10) although it will be biased towards 1. So your normal passwords would have anywhere from 6 to ~12 bits of entropy. This is way pessimistic. 12 bits of entropy implies you could get it with a dictionary attack with only 4000 guesses. six bits means you would only need 64 guesses! If you educate them to use random capitalization that can be your best friend, it adds a pure 1 bit of entropy per character. Only if the capitalization is truly random, and then it makes it hard to remember. George If they use diceware, along with random capitalization you are in very good shape and they will probably have more entropy in their passphrase then you will harvest in your verification. Joe -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Dynamic Transposition Revisited (long) Date: Sat, 27 Jan 2001 18:08:27 +0100 John Savard wrote: Mok-Kong Shen[EMAIL PROTECTED] wrote, in part: I suppose you have a different and problematical concept of the (THEORETICAL) OTP. The bit sequence of OTP is by definition/assumption unpredictable. If a 'claimed' OTP uses a predictable bit sequence and consequently is weak as you said, then it is by definition NOT an OTP, though snake-oil peddlers used to call that OTP. This is true. But Terry Ritter isn't talking about fake OTPs based on algorithmic PRNGs, as far as I understand it. He is saying that even what people acknowledge as "real" OTPs, where the key has been generated by physical randomness, aren't provably the 'theoretical OTP', because you can't prove a particular physical random noise generator to be perfect. That is not, in itself, untrue. Physical random number generators can have bias, for example. However, it his his insistence that this is a major concern, and more specifically the implication that this makes the proof that th
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #12 Wed, 30 Aug 00 01:13:00 EDT Contents: Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (qun ying) Re: Serious PGP v5 v6 bug! ("Nathan Williams") Re: The DeCSS ruling (Eric Smith) Re: The DeCSS ruling (Roger Schlafly) Re: Future computing power (David A Molnar) Re: Future computing power (David A Molnar) Re: Best way! (Eric Smith) Re: Destruction of CDs (Eric Smith) Re: PRNG Test Theory ("Trevor L. Jackson, III") Re: The DeCSS ruling (David A. Wagner) Re: "Warn when encrypting to keys with an ADK" (Philip Stromer) Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (John Savard) Re: Best way! (Edward A. Falk) Re: 4096 BIT RSA Key ([EMAIL PROTECTED]) Re: Bytes, octets, chars, and characters (Brian Inglis) From: qun ying [EMAIL PROTECTED] Subject: Re: Patent, Patent is a nightmare, all software patent shuld not be allowed Date: Wed, 30 Aug 2000 02:03:24 GMT In article [EMAIL PROTECTED], Mok-Kong Shen [EMAIL PROTECTED] wrote: I wonder in the case in question how much is actually 'disclosed' in the text that one can read on the web page cited. Are there more texts about that patent that one can read? Or are these texts inaccessible to the public? Since the patent apparently has the potential of attacking at the very root of PK applications, if I don't err, we should pay due attention to the issue, I suppose. M. K. Shen http://home.t-online.de/home/mok-kong.shen The actual patent is not much more than you can see from the web, just a few more diagrams. I get the impression that it is some kind of hotmail services with PKI system. But I don't think that will qualify for the patent. The company also selling products based on the patent. the company's address: http://www.tumbleweed.com/ Sent via Deja.com http://www.deja.com/ Before you buy. -- From: "Nathan Williams" [EMAIL PROTECTED] Crossposted-To: alt.security.pgp,comp.security.pgp.discuss Subject: Re: Serious PGP v5 v6 bug! Date: Wed, 30 Aug 2000 02:17:45 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 No it doesn't. Reread my post Shawn. The "master" KEY is SPLIT!!! No one person could decrypt and use the stored keys. "Shawn Willden" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... No, this solution is far worse than the ADK solution. This solution gives someone else control of your private key, meaning they can impersonate you. This scenario allows a tie-dyed, sockless, ponytailed, late-to-work-every-day geek who hasn't been fired yet only because HR isn't sure they could find a replacement in this unbelievably tight technical-labor market to impersonate the CEO; not a good idea. [Nothing against tie-dye, ponytails, Tevas or going to work late, BTW; I fit that profile whenever possible.] Really, there is no weakness created by an ADK in a proper implementation. The only "badness" about ADKs in general is that they create yet another opportunity for making mistakes. But then *any* key escrow solution creates another opportunity for error. IMO, ADKs are a reasonable solution, as long as they are properly authenticated (part of the signed public key package). Shawn. =BEGIN PGP SIGNATURE= Version: PGP 6.5.8 iQA/AwUBOaxugd8G10zX/RREEQJdJACferMr1c1UW2brQ0Sflf39Iyb2Bw8AoPRl WNRGF+eeSyEbIE3nPLY4jdPO =T15t =END PGP SIGNATURE= -- From: Eric Smith [EMAIL PROTECTED] Subject: Re: The DeCSS ruling Date: 29 Aug 2000 19:20:36 -0700 "Trevor L. Jackson, III" [EMAIL PROTECTED] writes: Does a security system that publishes the cipher key count as copy protection? Calling it copy protection does not make it copy protection. US Code, Title 17, Chapter 12, Section 1201 (b)(2)(B) sets the legal standard: a technological measure `effectively protects a right of a copyright owner under this title' if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner under this title. -- From: Roger Schlafly [EMAIL PROTECTED] Subject: Re: The DeCSS ruling Date: Tue, 29 Aug 2000 19:27:32 -0700 Eric Smith wrote: US Code, Title 17, Chapter 12, Section 1201 (b)(2)(B) sets the legal standard: a technological measure `effectively protects a right of a copyright owner under this title' if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner under this title. The word "effectively" is the interesting one. The whole purpose
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #11 Mon, 17 Apr 00 21:13:01 EDT Contents: Re: Twofish problems... (Ron Yaklime) Re: Sony's Playstation2 export-controlled (Diet NSA) updated paper on easy entropy (Tom St Denis) Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid) Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid) Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid) Re: GOST idea (Tom St Denis) Re: Paper on easy entropy ("Trevor L. Jackson, III") Just another idea... (Pred.) Re: GOST idea (Mok-Kong Shen) Re: Paper on easy entropy (Tom St Denis) Re: AES-encryption (Tom St Denis) Re: Paper on easy entropy (stanislav shalunov) Re: GOST idea (Mok-Kong Shen) Re: Paper on easy entropy (Mok-Kong Shen) Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid) Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid) Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid) Encryption as a cryptanalysis tool [0/2] (Gideon Samid) From: [EMAIL PROTECTED] (Ron Yaklime) Subject: Re: Twofish problems... Date: Mon, 17 Apr 2000 23:10:52 GMT [EMAIL PROTECTED] (JONATHAN DINERSTEIN) wrote: Can somebody help out a struggling college student??? I'm working with Twofish... ...Does anyone have any suggestions or advice? [EMAIL PROTECTED] (Bruce Schneier) wrote: If you're still able to encrypt and decrypt properly, then whatever mistake you're making is repeatable. I don't know what you're doing wrong, but if you can't match the test vectors than what you have isn't Twofish. I'll bet Jonathan appreciates the Internet just a little bit more now than he did yesterday! -- "Ron Yaklime" is actually 8759 243610 [EMAIL PROTECTED]. 012 3456789 - Use this key to decode my email address and name. Play Five by Five Poker at http://www.5X5poker.com. -- Subject: Re: Sony's Playstation2 export-controlled From: Diet NSA [EMAIL PROTECTED] Date: Mon, 17 Apr 2000 16:02:35 -0700 In article 38FB50FD.17457E25@t- online.de, Mok-Kong Shen mok- [EMAIL PROTECTED] wrote: I read in today's newspaper that Sony's PlayStation2 (there were mentions to it in some recent threads of this group) is under export control of Japan. This seems to indicate that its 128 bit processor is indeed very powerful. The PlayStation2 is not under export control for crypto reasons but because it does high speed image processing similar to the type done in some missile guidance systems. "I feel like there's a constant Cuban Missile Crisis in my pants." - President Clinton commenting on the Elian Gonzalez situation === * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network * The fastest and easiest way to search and participate in Usenet - Free! -- From: Tom St Denis [EMAIL PROTECTED] Subject: updated paper on easy entropy Date: Mon, 17 Apr 2000 23:18:23 GMT I updated the paper (new content and fixed the source), but there are probably still some flaws... Anyways you can get it at (html, some formatting lost) http://24.42.86.123/entropy/base.html (pdf) http://24.42.86.123/files/entropy.pdf (ps) http://24.42.86.123/files/entropy.ps Tom -- From: Gideon Samid [EMAIL PROTECTED] Subject: Fighting fire with fire: using encryption to bust encryption [0/2] Date: Mon, 17 Apr 2000 23:37:06 GMT FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION DES, like other strong cryptographies, are characterized by random-like attributes, on which they rest. Thus a change of one bit in the DES key will change each bit in the ciphertext at a probability close to 50%. Similarly for unit changes in the plaintext. This pattern-less aspect indicates cryptographic strength. Using TaKE (Tailored Key Encryption) one could find a key that would fit a given ciphertext C with a plaintext of choice P. Hence any C, however random-like, may be transformed to a string P, which is as "far from being random" as desired. Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a key K such that the corresponding plaintexts P1, P2, ... will be increasingly non-random. This de-randomization process may apply to any given set of random strings. It can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis. In the transformed format these DES variables will lose their random-like property, and will be vulnerable to any of today's powerful pattern recognition tools. De-randomization (or encryption against encryption) can also be used in conjunction with the prevailing methods